Re: self-signed leaf cert not = self generated root
The structure of the certs aren't exactly the same, as part of the cert defines what the cert can be used for, and many applications will treat a root signing cert as invalid if submitted for a different role. Most apps these days will also pop a warning that it is not itself countersigned by another CA that is already in the trust store.
Once you add a bogus root though, you're screwed because that cert can be used to generate a spoof of any cert, for any site, and for any purpose.
SSLs math is sound, but it's logic of trust is, and remains, fatally flawed. As a result, the state backed CAs of the worlds repressive governments have been caught with their hands in the cookie jar issuing fake certs to MITM traffic to each other and the biggest sites on the internet.
So now Chrome uses pinned certs and will block connections if it see's a forged cert for Goofabet domains. Your banking sight might not be so lucky.
Fixing this means fixing the trust model, by allowing domains to declare or designate their CA's and only trusting certs for a domain that are signed by a designated authority. Annoyingly, this isn't even that hard to implement, but the bad faith actors like verisign and godaddy have enjoyed getting rich of the status quo.